b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  The Mainframe Databases Reviewed Met\n                Security Requirements; However, Automated\n                    Security Scans Were Not Performed\n\n\n\n                                      September 30, 2011\n\n                              Reference Number: 2011-20-099\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   HIGHLIGHTS\n\n\nTHE MAINFRAME DATABASES                               standards and were effectively implemented.\nREVIEWED MET SECURITY                                 However, required automated security\nREQUIREMENTS; HOWEVER,                                configuration scans of mainframe databases\nAUTOMATED SECURITY SCANS WERE                         were not conducted. The audit also identified\n                                                      that the IBM Guardium software application\nNOT PERFORMED\n                                                      purchased in July 2010 for vulnerability scans on\n                                                      databases had not been fully implemented. In\nHighlights                                            June 2011, the IRS received an invoice for\n                                                      approximately $700,000 to renew the annual\n                                                      software application license. This invoice was\nFinal Report issued on                                paid in order to continue deployment and avoid\nSeptember 30, 2011                                    penalties for a lapse in maintenance; however,\n                                                      the application had not been fully implemented,\nHighlights of Reference Number: 2011-20-099           resulting in an inefficient use of resources.\nto the Internal Revenue Service Chief\nTechnology Officer.                                   WHAT TIGTA RECOMMENDED\nIMPACT ON TAXPAYERS                                   TIGTA recommended that the Chief Technology\n                                                      Officer implement automated security\nInternal Revenue Service (IRS) mainframe              configuration scanning on mainframe databases,\ncomputers support applications associated with        ensure the IBM Guardium software application is\nprocessing, tracking, and storing tax return          fully implemented, and ensure system\ninformation. Two manufacturers of mainframe           requirements are identified and agreed upon by\ncomputers, International Business Machines            all affected Modernization and Information\nCorporation (IBM) and Unisys Corporation,             Technology Services organizations prior to\nprovide the foundation for the IRS computer           purchasing an enterprise-wide software\nsystems. TIGTA tested the security                    application.\nconfigurations of two applications processed\nwith DB2 databases residing on IBM                    The IRS agreed with all of TIGTA\xe2\x80\x99s\nmainframes and found it to be effective;              recommendations. The IRS plans to implement\nhowever, automated security scans of the 32           automated security configuration scanning on\nIBM DB2 database applications were not                mainframe databases and coordinate with\nperformed. By not performing monthly                  stakeholders to fully implement the IBM\nautomated database scans, sensitive                   Guardium software application. Vendor\ninformation may not be secure.                        Contract Management plans to ensure that all\n                                                      appropriate information technology stakeholders\nWHY TIGTA DID THE AUDIT                               involved in the acquisition of enterprise software\n                                                      applications have been effectively engaged in\nIn Fiscal Year 2009, the IRS processed about\n                                                      the articulation of requirements for new\n144 million individual income tax returns and\n                                                      enterprise-wide software applications.\nabout 2.5 million corporate income tax returns.\nThis audit is included in our Fiscal Year 2011        The IRS stated that they did not concur with the\nAnnual Audit Plan and addresses the major             outcome measure of $700,000, as the invoice\nmanagement challenge of Modernization. Our            was paid in order to continue deployment and\noverall objective was to determine whether            avoid penalties for a lapse in maintenance.\nadequate security controls were established for       However, TIGTA maintains that the inefficient\nthe IBM DB2 databases running on the IBM              use of resources is due to the delayed\nz/OS operating system.                                deployment that resulted from the lack of proper\n                                                      planning and coordination between the\nWHAT TIGTA FOUND                                      Modernization and Information Technology\nSecurity policies and configuration settings for      Services business units prior to the purchase of\nthe two IBM DB2 databases reviewed were in            the application.\ncompliance with Government and industry\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               September 30, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                          Michael R. Phillips\n                                Deputy Inspector General for Audit\n\n SUBJECT:                       Final Audit Report \xe2\x80\x93 The Mainframe Databases Reviewed Met Security\n                                Requirements; However, Automated Security Scans Were Not\n                                Performed (Audit # 201120021)\n\n This report presents the results of our review of the security controls established for the\n databases residing on the Internal Revenue Service (IRS) mainframe computers. The overall\n objective of this review was to determine whether adequate security controls had been\n established for the International Business Machines Corporation (IBM) DB2 databases running\n on the IBM z/OS operating system. This audit is included in our Fiscal Year 2011 Annual Audit\n Plan1 and addresses the major management challenge of Modernization.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\n\n\n\n 1\n     This audit was initially included in Mainframe Computer Security and Processing (Audit #201120015).\n\x0c                                         The Mainframe Databases Reviewed\n                                        Met Security Requirements; However,\n                                    Automated Security Scans Were Not Performed\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Security Policies and Configuration Settings Were in Compliance\n          With Government and Industry Standards and Were Effectively\n          Implemented for the Two Mainframe DB2 Databases Reviewed ................ Page 3\n          Automated Security Configuration Scans of the Mainframe\n          Databases Were Not Conducted ................................................................... Page 4\n                    Recommendation 1:.......................................................... Page 4\n\n          Delayed Implementation of a Software Application to Scan\n          Databases Resulted in the Inefficient Use of Resources ............................... Page 5\n                    Recommendations 2 and 3: ................................................ Page 6\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 9\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 10\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 11\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 12\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 15\n\x0c           The Mainframe Databases Reviewed\n          Met Security Requirements; However,\n      Automated Security Scans Were Not Performed\n\n\n\n\n              Abbreviations\n\nIBM     International Business Machines Corporation\nIRS     Internal Revenue Service\n\x0c                                  The Mainframe Databases Reviewed\n                                 Met Security Requirements; However,\n                             Automated Security Scans Were Not Performed\n\n\n\n\n                                          Background\n\nThe Internal Revenue Service (IRS) relies on a complex environment of computer systems to\naccomplish its mission. Two manufacturers of mainframe computers, International Business\nMachines Corporation (IBM) and Unisys Corporation, provide the foundation for its computer\nsystems, which processed about 144 million individual income tax returns and about 2.5 million\ncorporate income tax returns filed in Fiscal Year 2009. These mainframes work with other\nnon-mainframe hardware platforms supplied by companies such as Aspect Computer\nCorporation, Hewlett Packard Company, Dell Inc., and Sun Microsystems (currently named\nOracle America, Inc.).\nIRS mainframe computers support applications associated with processing, tracking, and storing\ntax return information such as the Business Return Transaction File, the Customer Account Data\nEngine \xe2\x80\x93 Individual, and the Business Master File On-Line Processing. Other applications\ninclude disparate and unrelated services such as the Currency and Banking Retrieval System\nused for monitoring monetary transactions exceeding $10,000, the Personal Identity Verification\nBackground Investigation Process used for tracking contractors, and the Statistics of Income\nDistributed Processing System that provides mandatory reports to Congress on IRS activities.\nOur last audit report issued on IBM mainframe security was in 20021 and made two\nrecommendations. The report noted that the IRS was not using a system-software monitoring\ntool to provide periodic reviews of software which would enable systems programming and\nsecurity personnel to more efficiently identify system software issues and focus their efforts on\nresolving those issues. The resultant recommendation was that the IRS needed to evaluate\nautomated tools and establish procedures for their use. The second recommendation was made\nto timely develop and update mainframe computer access control standards, such as law\nenforcement manuals and access control matrices, to ensure that progress is made and that these\nstandards are tracked by the Modernization and Information Technology Services (formerly\nnamed Modernization, Information Technology, and Security) organization.\nDuring the ensuing years, changes were made to the mainframe environment, including the\nconsolidation of computer processing into one Enterprise Computing Center with three physical\nlocations (Detroit, Michigan; Memphis, Tennessee; and Martinsburg, West Virginia);\nmodifications were made to IRS systems to incorporate income tax law changes; and aging\nhardware was replaced with technologically advanced equipment.\n\n\n\n1\n System-Level Controls for the Internal Revenue Service\xe2\x80\x99s Mainframe Computers Are Generally Adequate;\nHowever, Additional Actions Are Needed (Reference Number 2002-20-168, dated September 4, 2002).\n                                                                                                        Page 1\n\x0c                              The Mainframe Databases Reviewed\n                             Met Security Requirements; However,\n                         Automated Security Scans Were Not Performed\n\n\n\nThe IBM DB2 database system is used in 32 different applications of which 28 are on the IBM\nz/OS mainframe. Because our review relied on manual analysis of the IBM mainframe security\nand the DB2 database implementation, the scope of the review was limited to two DB2 database\napplications on the mainframe. Both applications were owned by the Wage and Investment\nDivision.\nThis review was performed at the Modernization and Information Technology Services\nEnterprise Operations organization\xe2\x80\x99s offices in New Carrollton, Maryland, and at the Enterprise\nComputing Center in Martinsburg, West Virginia, during the period November 2010 through\nJuly 2011. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on the audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                         Page 2\n\x0c                                     The Mainframe Databases Reviewed\n                                    Met Security Requirements; However,\n                                Automated Security Scans Were Not Performed\n\n\n\n\n                                       Results of Review\n\nSecurity Policies and Configuration Settings Were in Compliance With\nGovernment and Industry Standards and Were Effectively\nImplemented for the Two Mainframe DB2 Databases Reviewed\nThe Internal Revenue Manual provides the IRS\xe2\x80\x99s standards and policies for the IBM mainframe\nz/OS operating system, the Resource Access Control Facility,2 and the DB2 database. Our\nreview determined the IBM mainframe and DB2 database standards and policies are consistent\nwith guidance provided by the IBM Corporation, the Defense Information Systems Agency, the\nDepartment of the Treasury, the Center for Internet Security, and the National Institute of\nStandards and Technology.\nThe IRS developed 32 applications that use the IBM DB2 database. We reviewed two\napplications (the Electronic Tax Administration Marketing Database and the Tax Return\nDatabase) owned by the Wage and Investment Division that share resources on the IBM\nmainframe to verify that the implementation of these applications met IRS standards. Our\nanalysis of system files and system-generated reports verified that both applications met the IRS\nconfiguration and security standards for the IBM z/OS operating system and the DB2 database.\nFollowing are some examples of the settings that were verified:\n      \xe2\x80\xa2   Audit logging settings were appropriate.\n      \xe2\x80\xa2   Access controls met the IRS standards of least privilege and separation of duties.\n      \xe2\x80\xa2   Resource Access Control Facility security controls met security configuration guidelines.\n      \xe2\x80\xa2   Mainframe subsystems were properly separated by function (i.e., test, maintenance, and\n          operations).\n      \xe2\x80\xa2   Daily mainframe operating system level audit reports were created.\nThe Internal Revenue Manual also requires that the Chief Information Security Officer manage,\nmaintain, and track agency Plans of Actions and Milestones for information technology security\nweaknesses. We reviewed the Plans of Actions and Milestones for Fiscal Years 2009, 2010, and\n2011 using the Trusted Agent Federal Information Security Management Act repository for the\ntwo applications reviewed. The Plans of Actions and Milestones were entered into the system in\na timely manner and resolved in a reasonable length of time.\n\n\n2\n    See Appendix V for a glossary of terms.\n                                                                                               Page 3\n\x0c                               The Mainframe Databases Reviewed\n                              Met Security Requirements; However,\n                          Automated Security Scans Were Not Performed\n\n\n\nAutomated Security Configuration Scans of the Mainframe Databases\nWere Not Conducted\nAs of April 1, 2010, the Internal Revenue Manual requires monthly automated security\nconfiguration scans of all operating and database systems. The IRS performs these scans by\nusing a specialized policy checker program for each of the three major platforms in use within\nthe IRS environment: Microsoft Windows, UNIX, and mainframes.\nThe monthly mainframe policy checker reports, for the period December 2010 through\nFebruary 2011, indicated the IBM z/OS mainframes in our sample were 100 percent compliant\nwith IRS mainframe operating system policies. However, the mainframe policy checker does\nnot perform database testing during the automated security configuration scans. Although\nmainframe database testing is not performed, our review of the two applications determined the\ndatabase controls were compliant with the IRS configuration policies.\nIn the Modernization and Information Technology Services organization\xe2\x80\x99s Cybersecurity\nOperations: Technical Roadmap, dated August 2007, the IRS stated:\n       By exploiting un-patched and un-remediated vulnerabilities in our databases, disgruntled\n       insiders or malicious outsiders may gain unauthorized access to our most sensitive\n       information. Database vulnerabilities exist for several reasons including technological\n       weaknesses, poor security-control implementation, lack of training, and absences of\n       effective oversight. Routine quarterly scans to detect and correct database\n       vulnerabilities and misconfigurations are essential to ensuring the right degree of\n       security diligence is being applied to IRS databases.\nAutomated security configuration scans of mainframe databases are not being performed because\nthe IRS has not identified and implemented a tool to perform those scans. By not performing\nregular and complete monthly automated database scans that check key settings on all\napplications, sensitive information may not be secure and the IRS has not met its goal of\nensuring security diligence is applied to all IRS databases as presented above in the technical\nroadmap. Additionally, these scans would proactively identify insecure database settings among\nthe remaining DB2 applications that were not tested during our review.\n\nRecommendation\nRecommendation 1: The Chief Technology Officer should implement automated security\nconfiguration scanning on mainframe databases.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       implement automated security configuration scanning on mainframe databases.\n\n\n\n                                                                                          Page 4\n\x0c                                    The Mainframe Databases Reviewed\n                                   Met Security Requirements; However,\n                               Automated Security Scans Were Not Performed\n\n\n\nDelayed Implementation of a Software Application to Scan Databases\nResulted in the Inefficient Use of Resources\nBecause the IRS does not conduct automated security configuration scans of its mainframe\ndatabases, we attempted to identify other testing mechanisms performed to mitigate this issue\nand identified an issue with the implementation of a database scanning software application. In\nJuly 2010, the Cybersecurity organization purchased the IBM Guardium software application to\nperform automated vulnerability scans of its databases. The enterprise-wide software license\ncovering 3,000 processors and the hardware needed to perform automated vulnerability scans\ncost $3.3 million.\nThe IRS originally anticipated implementation by December 2010. However, by July 2011, the\nIBM Guardium software application still had not been fully implemented. While automated\nvulnerability scans could not be performed enterprise-wide, the IRS ran the software manually to\nperform tests on databases one at a time. The first of these scans was performed in August 2010\non the Tax Professional Preparer Tax Identification Number System database. In addition, in\nJuly 2011, the IRS performed an automated test scan of the Customer Account Data Engine 2\ndatabase.\nThe IRS is using its Enterprise Life Cycle systems development methodology to implement the\nIBM Guardium software application. As of July 2011, the implementation was in the system\ndevelopment phase and was waiting for the Enterprise Architecture organization\xe2\x80\x99s approval.\nOnce approval is obtained, the IRS will continue toward completion of the Enterprise Life Cycle\nprocess. The IRS could not provide an estimated implementation date for the software\napplication.\nOne key item that also remains to be completed is for the IRS to set up accounts and permissions\non its multiple systems so the IBM Guardium software application could perform credentialed\nscans of the remaining databases. According to IRS management, the IBM Guardium software\napplication has not been implemented enterprise-wide because of other higher priorities and the\nlack of support needed from several organizations.\nThe Clinger-Cohen Act of 19963 requires agencies to use a disciplined capital planning and\ninvestment control process to maximize the value of information technology investments and\nmanage the acquisition risk. In June 2011, the IRS received an invoice for approximately\n$700,000 to renew the annual IBM Guardium software application licenses. This invoice was\npaid in order to continue deployment and avoid penalties for a lapse in maintenance; however,\nthe application had not been fully implemented resulting in an inefficient use of resources.\n\n\n3\n Pub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.).\n                                                                                                             Page 5\n\x0c                              The Mainframe Databases Reviewed\n                             Met Security Requirements; However,\n                         Automated Security Scans Were Not Performed\n\n\n\nRecommendations\nRecommendation 2: The Chief Technology Officer should ensure the IBM Guardium\nsoftware application is fully implemented.\n       Management\xe2\x80\x99s Response: The IRS is coordinating with stakeholders to fully\n       implement the IBM Guardium software application. This includes vulnerability scan\n       testing of the various database management system platforms, account creation process,\n       mitigation strategy for identified vulnerabilities, identifying appropriate database owners\n       and system administrators across the enterprise, and getting database administrators in all\n       business units to create Guardium user accounts on their databases.\n       Office of Audit Comment: The IRS does not concur with our assertion that the\n       renewal of the IBM Guardium software application licenses was an inefficient use of\n       resources. The IRS stated that the invoice was paid in order to continue deployment and\n       avoid penalties for a lapse in maintenance. In response to our prior recommendations, the\n       IRS stated that they implemented use of DbProtect software to perform some of the\n       required scanning functionality. DbProtect was the best available tool on the market at\n       the time and met the IRS\xe2\x80\x99s immediate needs for a database scanning capability. As a\n       result of on-going costs of DbProtect software and expanded business requirements, the\n       IRS looked at other tools that could provide the scanning functionality. The IRS stated\n       that they conducted a thorough analysis of available tools and made the decision to go\n       with IBM Guardium. This analysis, which was shared with us, showed that the change to\n       the new tool would save the taxpayers in the total cost of ownership compared to the total\n       cost of ownership for DbProtect.\n       We maintain that the inefficient use of resources is not due to the selection of the IBM\n       Guardium software application, but was caused instead by the delayed deployment that\n       resulted from the lack of proper planning and coordination between the Modernization\n       and Information Technology Services business units prior to the purchase of the\n       application. These issues caused the deployment to be delayed until after the licenses\n       needed to be renewed.\nRecommendation 3: The Chief Technology Officer should ensure system requirements are\nidentified and agreed upon by all affected Modernization and Information Technology Services\norganizations prior to purchasing an enterprise-wide software application.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Vendor\n       Contract Management will ensure that all appropriate information technology\n       stakeholders involved in the acquisition of enterprise software applications have been\n       effectively engaged in the articulation of requirements for new enterprise-wide software\n       applications.\n\n\n                                                                                           Page 6\n\x0c                                     The Mainframe Databases Reviewed\n                                    Met Security Requirements; However,\n                                Automated Security Scans Were Not Performed\n\n\n\n                                                                                     Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether adequate security controls had been established\nfor the IBM DB2 databases running on the IBM z/OS operating system. The scope of this\nreview was limited to the IBM DB2 database and only those operating systems and Resource\nAccess Control Facility1 functions directly related to the database. To accomplish our objective,\nwe:\nI.         Determined if the IRS established adequate security policies for the IBM DB2 databases.\n           A. Compared the IRS mainframe and IBM DB2 database policies and configuration\n              guides to those published by the Department of the Treasury, the National Institute of\n              Standards and Technology, and the Defense Information Systems Agency.\n           B. Compared the IRS mainframe and IBM DB2 database policies and configuration\n              guides to those published by the Center for Internet Security and IBM.\nII.        Determined if the IBM DB2 database programs, objects, and files were adequately\n           protected and that adequate user access controls were in place.\n           A. Judgmentally selected two IBM DB2 production databases for review. The IRS has\n              32 IBM DB2 databases of which 28 were using the IBM z/OS operating system.\n              Because automated scanning software had not been implemented, a manual review\n              was performed. To limit the scope of the manual review, two Sensitive But\n              Unclassified applications were selected that use the same subsystem (or logical\n              partition) and were owned by the Wage and Investment Division. Both applications\n              also shared the same installation of the security software, Resource Access Control\n              Facility. We believe these two applications were typical of IRS processing of\n              taxpayer data. They are the:\n               \xe2\x80\xa2    Electronic Tax Administration Marketing Database.\n               \xe2\x80\xa2    Tax Return Database.\n           B. Identified where the selected IBM DB2 subsystem resides on the mainframe.\n           C. Determined the IBM DB2 database options that were set.\n           D. Evaluated the controls over the connections to the IBM DB2 subsystem.\n\n\n1\n    See Appendix V for a glossary of terms.\n                                                                                             Page 7\n\x0c                               The Mainframe Databases Reviewed\n                              Met Security Requirements; However,\n                          Automated Security Scans Were Not Performed\n\n\n\n       E. Verified that the IBM DB2 datasets are adequately protected.\n       F. Evaluated how user identifications are assigned.\n       G. Identified who can access tables for the selected subsystem.\n       H. Identified who can grant access permissions to other users.\n       I. Identified user privileges.\n       J. Checked to ensure that access permissions adequately protected the IBM DB2\n          database program files and audit logs.\nIII.   Determined the effectiveness of security testing conducted on the IBM mainframe and\n       the IBM DB2 databases to identify vulnerabilities and the remediation actions taken.\n       A. Reviewed policy checker reports for December 2010 through February 2011.\n       B. Reviewed the results of vulnerability or security testing performed December 2010\n          through February 2011.\n       C. Verified that the mainframe operating system and the IBM DB2 database application\n          had all relevant security patches installed.\n       D. Discussed what remediation or corrective actions were taken to address problems\n          identified by IRS testing.\n       E. Verified that outstanding problems were timely added to the appropriate Plan of\n          Actions and Milestones reports.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Cybersecurity and Enterprise\nOperations organizations\xe2\x80\x99 policies and procedures for establishing and monitoring IBM\nmainframe DB2 database security. We evaluated the controls by interviewing management, and\nreviewing policies and procedures and relevant supporting documentation. We tested the\nadequacy of DB2 database security by examining DB2 configurations for two IBM mainframe\napplications.\n\n\n\n\n                                                                                        Page 8\n\x0c                              The Mainframe Databases Reviewed\n                             Met Security Requirements; However,\n                         Automated Security Scans Were Not Performed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nLarry Reimer, Information Technology Audit Manager\nRichard Borst, Senior Auditor\nStasha Smith, Senior Auditor\nElton Jewell, Information Technology Specialist\nMonique Queen, Information Technology Specialist\n\n\n\n\n                                                                                      Page 9\n\x0c                             The Mainframe Databases Reviewed\n                            Met Security Requirements; However,\n                        Automated Security Scans Were Not Performed\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nDirector, Enterprise Computing Centers OS:CTO:EO:EC\nDirector, Security Risk Management OS:CTO:C:SRM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 10\n\x0c                               The Mainframe Databases Reviewed\n                              Met Security Requirements; However,\n                          Automated Security Scans Were Not Performed\n\n\n\n                                                                                Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective action will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Actual; $702,560 (see page 5).\n\nMethodology Used to Measure the Reported Benefit:\nIn July 2010, the Cybersecurity organization purchased the IBM Guardium application for\n$3.3 million, including hardware and an enterprise-wide software license for a 1-year period\nbeginning July 30, 2010. The enterprise-wide software license covered the database servers\nwithin the IRS architecture regardless of the number of servers actually scanned.\nThe application was purchased to perform automated vulnerability scans on IRS databases.\nHowever, as of July 2011, the IBM Guardium application had not been fully implemented. In\nJune 2011, the IRS received an invoice for approximately $700,000 to renew the Guardium\napplication license. This invoice was paid in order to continue deployment and avoid penalties\nfor a lapse in maintenance. While the IRS used the software application several times to scan\ndatabases, it did not utilize the automated scanning functionality that had been purchased.\n\n\n\n\n                                                                                         Page 11\n\x0c                             The Mainframe Databases Reviewed\n                            Met Security Requirements; However,\n                        Automated Security Scans Were Not Performed\n\n\n\n                                                                                 Appendix V\n\n                                Glossary of Terms\n\n              Term                                         Definition\nApplication                      A software program that performs a specific function directly\n                                 for a user and can be executed without access to system\n                                 control, monitoring, or administrative privileges.\nBusiness Master File On-Line     Is used primarily to display tax account information on\nProcessing                       business taxpayers.\nBusiness Return Transaction      These programs receive business tax return data, reformat and\nFile                             post returns to the Return Transaction File, and do periodic\n                                 file maintenance.\nCredential                       An object that authoritatively binds an identity (and\n                                 optionally, additional attributes) to a token possessed and\n                                 controlled by a person.\nCustomer Account Data            An application that is scheduled to be phased in over several\nEngine \xe2\x80\x93 Individual              years, processing increasingly more complex tax returns in\n                                 stages, ultimately replacing the tape-based Master File\n                                 systems the IRS now uses to process tax return data. The\n                                 Customer Account Data Engine Release 4.2 was successfully\n                                 deployed on January 19, 2009. Note: This will be replaced\n                                 by the Customer Account Data Engine 2 in January 2012.\nCustomer Account Data            The technological foundation that will provide the IRS with\nEngine 2                         the capability to manage its tax accounts in a way that is\n                                 central to the achievement of the IRS modernization vision.\nDB2 Database                     A relational model database server developed by IBM.\nElectronic Tax Administration    Creates and maintains a national database to profile individual\nMarketing Database               and business return filers to support marketing and\n                                 communications for e-submissions programs.\n\n\n\n\n                                                                                           Page 12\n\x0c                               The Mainframe Databases Reviewed\n                              Met Security Requirements; However,\n                          Automated Security Scans Were Not Performed\n\n\n\n             Term                                         Definition\nEnterprise Life Cycle          In enterprise architecture, is the dynamic, iterative process of\n                               changing the enterprise over time by incorporating new\n                               business processes, new technology, and new capabilities, as\n                               well as maintenance, disposition, and disposal of existing\n                               elements of the enterprise.\nIdentification                 The process of verifying the identity of a user, process, or\n                               device, usually as a prerequisite for granting access to\n                               resources in an information technology system.\nLeast privilege                The security objective of granting users only those accesses\n                               they need to perform their official duties.\nMainframe                      Powerful computers used primarily by corporate and\n                               governmental organizations for critical applications, bulk data\n                               processing such as census, industry and consumer statistics,\n                               enterprise resource planning, and financial transaction\n                               processing.\nObjects                        A passive information system-related entity (e.g., devices,\n                               files, records, tables, processes, programs, domains)\n                               containing or receiving information. Access to an object\n                               implies access to the information it contains.\nOperating system               Software that runs on computers, manages computer hardware\n                               resources, and provides common services for execution of\n                               application software.\nPatch                          An update to an operating system, application, or other\n                               software issued specifically to correct particular problems with\n                               the software.\nPlatform                       The hardware and software on a computer that allows software\n                               to run. Typical platforms include a computer's architecture,\n                               operating system, programming languages and related user\n                               interface (run-time system libraries or graphical user\n                               interface).\n\nPrivilege                      A right granted to an individual, a program, or a process.\nResource Access Control        An IBM security system that provides access control and\nFacility                       auditing functionality for the z/OS and z/VM operating\n                               systems.\n\n                                                                                         Page 13\n\x0c                              The Mainframe Databases Reviewed\n                             Met Security Requirements; However,\n                         Automated Security Scans Were Not Performed\n\n\n\n            Term                                          Definition\nSensitive But Unclassified      A designation of information in the Federal Government that,\n                                though unclassified, often requires strict controls over its\n                                distribution.\nSeparation of duties            As a security principle, its primary objective is the prevention\n                                of fraud and errors. This objective is achieved by\n                                disseminating the tasks and associated privileges for a specific\n                                business process among multiple users.\nSystem-software                 The special software within the cryptographic boundary\n                                (e.g., operating system, compilers, or utility programs)\n                                designed for a specific computer system or family of\n                                computer systems to facilitate the operation and maintenance\n                                of the computer system, associated programs, and data.\nTax Return Database             Contains tax return source information for all electronically\n                                filed tax returns.\nTax Professional Preparer Tax   A web-based application that will be used by approximately\nIdentification Number System    900,000 to 1.2 million tax return preparers. The application\xe2\x80\x99s\n                                main business goals are to facilitate taxpayer compliance and\n                                ensure uniform and high ethical standards of conduct for tax\n                                preparers.\nTrusted Agent Federal           An automated management tool that maintains Federal\nInformation Security            Information Security Management Act of 2002 (44 U.S.C.\nManagement Act                  Sections\xc2\xa7\xc2\xa7 3541 \xe2\x80\x93 3549) reporting data for application\n                                systems and their associated corrective actions.\nUser Permissions                The authorization that enables the user to access specific\n                                resources on a computer (e.g., data files and applications) or\n                                to network resources (e.g., printers and file servers).\n\n\n\n\n                                                                                         Page 14\n\x0c              The Mainframe Databases Reviewed\n             Met Security Requirements; However,\n         Automated Security Scans Were Not Performed\n\n\n\n                                                Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 15\n\x0c     The Mainframe Databases Reviewed\n    Met Security Requirements; However,\nAutomated Security Scans Were Not Performed\n\n\n\n\n                                              Page 16\n\x0c     The Mainframe Databases Reviewed\n    Met Security Requirements; However,\nAutomated Security Scans Were Not Performed\n\n\n\n\n                                              Page 17\n\x0c"